Squashed commit of the following:

commit 0ae052c
Author: Stephen Augustus <[email protected]>
Date:   Tue May 28 11:10:53 2024 +0200

    docs: Allstar is now a part of the OpenSSF Scorecard project

    Signed-off-by: Stephen Augustus <[email protected]>

commit 3dc172e
Author: Stephen Augustus <[email protected]>
Date:   Tue May 28 15:50:53 2024 +0200

    docs: Adopt OpenSSF Scorecard contributor ladder

    Signed-off-by: Stephen Augustus <[email protected]>

commit cc8cc68
Author: Jeff Mendoza <[email protected]>
Date:   Fri May 3 12:30:32 2024 -0700

    Fix name of ko in cloudbuild

    Signed-off-by: Jeff Mendoza <[email protected]>

commit 80ddc24
Author: Jeff Mendoza <[email protected]>
Date:   Fri May 3 12:18:56 2024 -0700

    Update go modules

    Signed-off-by: Jeff Mendoza <[email protected]>

commit 27c8070
Author: Jeff Mendoza <[email protected]>
Date:   Fri May 3 12:06:48 2024 -0700

    Update sc client mock

    Signed-off-by: Jeff Mendoza <[email protected]>

commit 5388811
Author: Jeff Mendoza <[email protected]>
Date:   Wed Mar 27 16:13:32 2024 -0700

    Update scorecard and Go versions.

    Signed-off-by: Jeff Mendoza <[email protected]>

commit 3d71f35
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Fri Mar 22 13:21:37 2024 +0000

    Bump github.com/bradleyfalzon/ghinstallation/v2 from 2.9.0 to 2.10.0

    Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.9.0 to 2.10.0.
    - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases)
    - [Commits](bradleyfalzon/ghinstallation@v2.9.0...v2.10.0)

    ---
    updated-dependencies:
    - dependency-name: github.com/bradleyfalzon/ghinstallation/v2
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit f42d035
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Wed Mar 13 13:38:46 2024 +0000

    Bump gocloud.dev from 0.36.0 to 0.37.0

    Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.36.0 to 0.37.0.
    - [Release notes](https://github.com/google/go-cloud/releases)
    - [Commits](google/go-cloud@v0.36.0...v0.37.0)

    ---
    updated-dependencies:
    - dependency-name: gocloud.dev
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit c26edb2
Author: twelsh-aw <[email protected]>
Date:   Tue Mar 19 20:06:46 2024 -0400

    Update issue in IssueRepo when change detected

    This was trying (and depending on app permissions, succeeding) at changing issue descriptions in repos directly even when IssueRepo was set. We update to obey IssueRepo config setting in this case

    Signed-off-by: twelsh-aw <[email protected]>

commit 964a34c
Author: Jeff Mendoza <[email protected]>
Date:   Thu Mar 7 14:23:29 2024 -0800

    Switch to using a single worker

    Change "workers" cli option to be in pkg/config/operator and use
    ALLSTAR_NUM_WORKERS envvar with same default at 5. Update staging and prod
    config to use 1 worker to save concurrent memory usage.

    Signed-off-by: Jeff Mendoza <[email protected]>

commit 9c5f410
Author: Jeff Mendoza <[email protected]>
Date:   Wed Mar 6 15:23:58 2024 -0800

    Change cache to avoid memory use

    Orignally, the cache was intended to be long lived to handle incoming webhooks
    at any time. Currently, we are just polling, and just need the cache to handle
    a single "EnforceAll" run, where we hit the same paths multiple times in that
    run. Therefore, change the cache to be per-installation, and free it after each
    "EnforceAll".

    Signed-off-by: Jeff Mendoza <[email protected]>

commit 24b20ac
Author: Jeff Mendoza <[email protected]>
Date:   Fri Mar 1 14:31:05 2024 -0800

    Avoid panic when workflow dir contains other dirs.

    Signed-off-by: Jeff Mendoza <[email protected]>

commit 68e3449
Author: Jeff Mendoza <[email protected]>
Date:   Fri Mar 1 11:42:41 2024 -0800

    Avoid panic with scorecard logs.

    Signed-off-by: Jeff Mendoza <[email protected]>

commit c532eed
Author: Jeff Mendoza <[email protected]>
Date:   Fri Mar 1 11:33:01 2024 -0800

    Fix parsing of github action name.

    Signed-off-by: Jeff Mendoza <[email protected]>

commit 609be43
Author: Jeff Mendoza <[email protected]>
Date:   Fri Mar 1 08:35:46 2024 -0800

    Catch unknown scorecard check.

    Signed-off-by: Jeff Mendoza <[email protected]>

commit 26a969c
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Thu Feb 29 13:13:07 2024 +0000

    Bump sigstore/cosign-installer from 3.2.0 to 3.4.0

    Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.2.0 to 3.4.0.
    - [Release notes](https://github.com/sigstore/cosign-installer/releases)
    - [Commits](sigstore/cosign-installer@1fc5bd3...e1523de)

    ---
    updated-dependencies:
    - dependency-name: sigstore/cosign-installer
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 61a80e1
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Thu Feb 29 13:13:04 2024 +0000

    Bump actions/dependency-review-action from 3 to 4

    Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 3 to 4.
    - [Release notes](https://github.com/actions/dependency-review-action/releases)
    - [Commits](actions/dependency-review-action@v3...v4)

    ---
    updated-dependencies:
    - dependency-name: actions/dependency-review-action
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit c4fc8c4
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Wed Feb 28 13:54:26 2024 +0000

    Bump actions/upload-artifact from 3 to 4

    Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3 to 4.
    - [Release notes](https://github.com/actions/upload-artifact/releases)
    - [Commits](actions/upload-artifact@v3...v4)

    ---
    updated-dependencies:
    - dependency-name: actions/upload-artifact
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit a4b662a
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Wed Feb 28 13:54:20 2024 +0000

    Bump github/codeql-action from 2 to 3

    Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3.
    - [Release notes](https://github.com/github/codeql-action/releases)
    - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
    - [Commits](github/codeql-action@v2...v3)

    ---
    updated-dependencies:
    - dependency-name: github/codeql-action
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 1192f07
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Wed Feb 28 13:54:13 2024 +0000

    Bump golangci/golangci-lint-action from 3 to 4

    Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 3 to 4.
    - [Release notes](https://github.com/golangci/golangci-lint-action/releases)
    - [Commits](golangci/golangci-lint-action@v3...v4)

    ---
    updated-dependencies:
    - dependency-name: golangci/golangci-lint-action
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit b48eddb
Author: Jeff Mendoza <[email protected]>
Date:   Tue Feb 27 15:29:58 2024 -0800

    Update a lot of go deps.

    Signed-off-by: Jeff Mendoza <[email protected]>

commit 92f6ce6
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Wed Nov 8 13:31:30 2023 +0000

    Bump sigstore/cosign-installer from 3.0.5 to 3.2.0

    Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.0.5 to 3.2.0.
    - [Release notes](https://github.com/sigstore/cosign-installer/releases)
    - [Commits](sigstore/cosign-installer@dd6b2e2...1fc5bd3)

    ---
    updated-dependencies:
    - dependency-name: sigstore/cosign-installer
      dependency-type: direct:production
      update-type: version-update:semver-minor
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 83b10b5
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Mon Sep 4 14:00:13 2023 +0000

    Bump actions/checkout from 3 to 4

    Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
    - [Release notes](https://github.com/actions/checkout/releases)
    - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
    - [Commits](actions/checkout@v3...v4)

    ---
    updated-dependencies:
    - dependency-name: actions/checkout
      dependency-type: direct:production
      update-type: version-update:semver-major
    ...

    Signed-off-by: dependabot[bot] <[email protected]>

commit 3521ed8
Author: Colm O hEigeartaigh <[email protected]>
Date:   Mon Jan 8 11:45:27 2024 +0000

    Don't create issues for dangerous workflows when we have an inconclusive result

    Signed-off-by: Colm O hEigeartaigh <[email protected]>

commit 2767817
Author: Raghav Kaul <[email protected]>
Date:   Wed Nov 22 20:56:33 2023 +0000

    Update scorecard

    Signed-off-by: Raghav Kaul <[email protected]>

    update scorecard

    Signed-off-by: Raghav Kaul <[email protected]>

commit c2c6202
Author: Raghav Kaul <[email protected]>
Date:   Mon Nov 27 20:10:52 2023 +0000

    Lock entire cleanup method

    * (Not sure if this is needed, githubclient.Close() is thread safe)

    Signed-off-by: Raghav Kaul <[email protected]>

commit cd0a83b
Author: Raghav Kaul <[email protected]>
Date:   Mon Nov 27 20:10:07 2023 +0000

    Initialize scClients map once globally

    Signed-off-by: Raghav Kaul <[email protected]>

commit b9a43c0
Author: Raghav Kaul <[email protected]>
Date:   Mon Nov 27 17:06:38 2023 +0000

    Don't recreate scorecard clients multiple times

    Signed-off-by: Raghav Kaul <[email protected]>

commit 968a887
Author: Raghav Kaul <[email protected]>
Date:   Mon Nov 27 15:49:51 2023 +0000

    Parameterize max goroutines

    Signed-off-by: Raghav Kaul <[email protected]>

commit 00e8917
Author: Evan Anderson <[email protected]>
Date:   Sat Jun 24 11:33:33 2023 -0700

    Rename `boolArgPtr` to 'runOnce`

    Signed-off-by: Evan Anderson <[email protected]>

commit 1c18a33
Author: Jeff Mendoza <[email protected]>
Date:   Wed Nov 22 08:10:06 2023 -0800

    Revert ossf#471 empty check

    Signed-off-by: Jeff Mendoza <[email protected]>

commit 5bc0d49
Author: Raghav Kaul <[email protected]>
Date:   Thu Nov 9 20:51:36 2023 +0000

    update

    Signed-off-by: Raghav Kaul <[email protected]>

commit 210e999
Author: Raghav Kaul <[email protected]>
Date:   Wed Nov 8 20:45:11 2023 +0000

    Use GitHub RepositoriesService.GetContent API

    Signed-off-by: Raghav Kaul <[email protected]>

commit 4b3f718
Author: Raghav Kaul <[email protected]>
Date:   Tue Nov 7 14:31:45 2023 +0000

    Fix tests

    Signed-off-by: Raghav Kaul <[email protected]>

commit 2531796
Author: Raghav Kaul <[email protected]>
Date:   Mon Nov 6 20:30:18 2023 +0000

    Skip empty repositories for enforcement

    Signed-off-by: Raghav Kaul <[email protected]>

commit 2ec2dca
Author: Raghav Kaul <[email protected]>
Date:   Thu Nov 16 16:26:40 2023 +0000

    Update nocache condition

    Signed-off-by: Raghav Kaul <[email protected]>

.github/workflows/postmerge.yaml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
-    - uses: ossf/scorecard-action@v2.3.3
+    - uses: ossf/scorecard-action@v2.1.3
       with:
         results_file: results.sarif
         results_format: sarif

.github/workflows/pr.yaml

@@ -9,9 +9,9 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
-        go-version: '1.20'
+        go-version: '1.21'
         check-latest: true
-    - uses: golangci/golangci-lint-action@v6
+    - uses: golangci/golangci-lint-action@v4
       with:
         args: --timeout 3m --verbose
   build:
@@ -20,7 +20,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
-        go-version: '1.20'
+        go-version: '1.21'
         check-latest: true
     - run: go build -v ./...
   test:
@@ -29,7 +29,7 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v4
       with:
-        go-version: '1.20'
+        go-version: '1.21'
         check-latest: true
     - run: go test -v ./...
     - run: go vet ./...

MAINTAINERS.md

@@ -0,0 +1,23 @@
+# Maintainers
+
+## `allstar-maintainers`
+
+- @jeffmendoza
+
+## Contributors
+
+- @coheigea
+- @danielbankhead
+- @five510
+- @justaugustus
+- @markdboyd
+- @naveensrinivasan
+- @olivekl
+- @yorinasub17
+
+## Emeritus
+
+Former maintainers are listed here.
+Thanks for your contributions to Scorecard!
+
+- 

README.md

@@ -48,9 +48,7 @@ that affect the security of your projects.  You can choose which security
 policies to monitor at both the organization and repository level, and how to
 handle policy violations.  You can also develop or contribute new policies.
 
-Allstar is developed under the [OpenSSF](https://openssf.org/) organization, as
-a part of the [Securing Critical Projects Working
-Group](https://github.com/ossf/wg-securing-critical-projects).
+Allstar is developed as a part of the [OpenSSF Scorecard](https://github.com/ossf/scorecard) project.
 
 ## Getting Started
 

cmd/allstar/main.go

@@ -56,7 +56,8 @@ func main() {
 			supportedPoliciesMsg += policyName
 		}
 	}
-	boolArgPtr := flag.Bool("once", false, "Run EnforceAll once, instead of in a continuous loop.")
+	var runOnce bool
+	flag.BoolVar(&runOnce, "once", false, "Run EnforceAll once, instead of in a continuous loop.")
 
 	specificPolicyArg := flag.String("policy", "", fmt.Sprintf("Run a specific policy check. Supported policies: %s", supportedPoliciesMsg))
 	specificRepoArg := flag.String("repo", "", "Run on a specific \"owner/repo\". For example \"ossf/allstar\"")
@@ -79,7 +80,7 @@ func main() {
 			Msg(fmt.Sprintf("Allstar will only run on repository %s", *specificRepoArg))
 	}
 
-	if *boolArgPtr {
+	if runOnce {
 		_, err := enforce.EnforceAll(ctx, ghc, *specificPolicyArg, *specificRepoArg)
 		if err != nil {
 			log.Fatal().

go.mod

@@ -1,24 +1,149 @@
 module github.com/contentful/allstar
 
-go 1.21
-
-toolchain go1.21.4
+go 1.21.8
 
 require (
 	github.com/Masterminds/semver/v3 v3.2.1
-	github.com/bradleyfalzon/ghinstallation/v2 v2.11.0
-	github.com/evanphx/json-patch v5.9.0+incompatible
+	github.com/bradleyfalzon/ghinstallation/v2 v2.10.0
+	github.com/evanphx/json-patch/v5 v5.9.0
 	github.com/gobwas/glob v0.2.3
 	github.com/google/go-cmp v0.6.0
-	github.com/google/go-github/v50 v50.2.0
+	github.com/google/go-github/v59 v59.0.0
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79
-	github.com/ossf/scorecard/v4 v4.10.5
-	github.com/rhysd/actionlint v1.7.1
-	github.com/rs/zerolog v1.33.0
+	github.com/ossf/scorecard/v4 v4.13.2-0.20240326192505-153e06d99fed
+	github.com/rhysd/actionlint v1.6.27
+	github.com/rs/zerolog v1.32.0
 	github.com/shurcooL/githubv4 v0.0.0-20210725200734-83ba7b4c9228
 	gocloud.dev v0.37.0
 	golang.org/x/sync v0.7.0
-	sigs.k8s.io/yaml v1.3.0
+	sigs.k8s.io/yaml v1.4.0
+)
+
+require (
+	cloud.google.com/go v0.112.1 // indirect
+	cloud.google.com/go/compute v1.25.0 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cloud.google.com/go/iam v1.1.6 // indirect
+	cloud.google.com/go/secretmanager v1.11.5 // indirect
+	cloud.google.com/go/storage v1.39.1 // indirect
+	dario.cat/mergo v1.0.0 // indirect
+	deps.dev/api/v3alpha v0.0.0-20240312000934-38ffc8dd1d92 // indirect
+	github.com/BurntSushi/toml v1.3.2 // indirect
+	github.com/CycloneDX/cyclonedx-go v0.8.0 // indirect
+	github.com/Microsoft/go-winio v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v1.0.0 // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect
+	github.com/aws/aws-sdk-go v1.50.36 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.7 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.7 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.4 // indirect
+	github.com/aws/smithy-go v1.20.1 // indirect
+	github.com/bombsimon/logrusr/v2 v2.0.1 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
+	github.com/containerd/typeurl/v2 v2.1.1 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/dghubble/trie v0.1.0 // indirect
+	github.com/docker/cli v25.0.3+incompatible // indirect
+	github.com/docker/distribution v2.8.3+incompatible // indirect
+	github.com/docker/docker v25.0.5+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.8.1 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/fatih/color v1.16.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-git/v5 v5.11.0 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/go-containerregistry v0.19.1 // indirect
+	github.com/google/go-github/v53 v53.2.0 // indirect
+	github.com/google/go-github/v60 v60.0.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/osv-scanner v1.7.1 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/google/wire v0.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
+	github.com/googleapis/gax-go/v2 v2.12.2 // indirect
+	github.com/h2non/filetype v1.1.3 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-hclog v1.5.0 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
+	github.com/ianlancetaylor/demangle v0.0.0-20240312041847-bd984b5ce465 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jedib0t/go-pretty/v6 v6.5.5 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/klauspost/compress v1.17.7 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/moby/buildkit v0.13.1 // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
+	github.com/owenrumney/go-sarif/v2 v2.3.0 // indirect
+	github.com/package-url/packageurl-go v0.1.2 // indirect
+	github.com/pandatix/go-cvss v0.6.2 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/robfig/cron/v3 v3.0.1 // indirect
+	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/shurcooL/graphql v0.0.0-20200928012149-18c5c3165e3a // indirect
+	github.com/sirupsen/logrus v1.9.3 // indirect
+	github.com/skeema/knownhosts v1.2.1 // indirect
+	github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect
+	github.com/spdx/tools-golang v0.5.3 // indirect
+	github.com/stretchr/testify v1.9.0 // indirect
+	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/xanzy/go-gitlab v0.101.0 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.49.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	golang.org/x/crypto v0.22.0 // indirect
+	golang.org/x/exp v0.0.0-20240314144324-c7f7c6466f7f // indirect
+	golang.org/x/mod v0.16.0 // indirect
+	golang.org/x/net v0.24.0 // indirect
+	golang.org/x/oauth2 v0.18.0 // indirect
+	golang.org/x/sys v0.19.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.19.0 // indirect
+	golang.org/x/vuln v1.0.4 // indirect
+	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
+	google.golang.org/api v0.169.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240311173647-c811ad7063a7 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240311173647-c811ad7063a7 // indirect
+	google.golang.org/grpc v1.62.1 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	gotest.tools/v3 v3.5.1 // indirect
+	mvdan.cc/sh/v3 v3.8.0 // indirect
 )
 
 require (